What Stuxnet's Exposure As An American Weapon Means For Cyberwar

Two years of theories and speculation in the cybersecurity research community were confirmed Friday morning: Stuxnet was indeed the first known digital attack launched by a government to destroy another country's physical infrastructure. And the government that launched it was ours.

As revealed in an extensive report from an upcoming book by New York Times' Washington correspondent David Sanger, the Stuxnet malware that has fascinated cybersecurity researchers since it was discovered in the fall of 2010 was in fact built by U.S. and Israeli government agencies and deployed to disrupt Iranian nuclear enrichment facilities. It seems to have worked: One thousand of Iran's 5,000 enrichment centrifuges were temporarily put out of commission by the malware, and some sources within the Obama administration told the Times that Iran's nuclear ambitions may have been set back by as much as 18 months to two years.

But even in 2010, the Obama administration knew that the potential exposure of the program, which it codenamed "Olympic Games," would spell trouble.

"Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade," Sanger writes. "He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks."

That acknowledgement has now arrived, thanks in part to a bug in Stuxnet that caused it to spread far beyond its intended targets and to catch the eye of antivirus researchers, and in part due to Sanger's own excellent reporting that ties the malware directly to Washington. So will the public confirmation of America's role as a cyberwarfare aggressor lead to the escalation of the digital arms race that Obama feared?

Jeffrey Carr, author of Inside Cyberwarfare and chief executive of cybersecurity consultancy Taia Global, believes it will. "This is a gift to Iran," says Carr of the Times' revelations. "I think it will give a reason--an excuse--for other countries to ramp up their offensive cyber capabilities. Certainly it gives Iran an excuse to take steps to retaliate in exchange for what’s occurred. It’s a really unfortunate disclosure."

After all, the original advantage of using a digital attack to sabotage Iran's nuclear facilities instead of a physical one, Carr says, was to keep the operation secret and allow deniability if it were discovered. "The whole point of a secret operation is that it stays secret and doesn’t blow back on the country that launched it," says Carr. "Now there's really no doubt left. It's really damning."

According to the Times' story, in fact, much of Stuxnet's effectiveness came from the mystery it created for the Iranians. The malware generated malfunctions in the centrifuges of the Natanz enrichment plant at random intervals over months, using different errors every time, and rendering them undetectable to the diagnostic systems in the control room. The Iranians became so paranoid about their own hardware, according to Sanger, that they assigned staff to physically watch the centrifuges. "“The intent was that the failures should make them feel they were stupid, which is what happened," one source said. In the Iranians' confusion, the plant workers closed down entire sections of the facility and fired workers. With so many details of Stuxnet's workings--and its origins--now revealed, it's unlikely the next digital weapon will have the same effect.

But the exposure of American involvement in Stuxnet shouldn't be blamed on the Times, says Mikko Hypponen, a malware analyst who closely analyzed Stuxnet since its discovery in 2010. American fingerprints were all over Stuxnet since antivirus researchers first saw the malware disseminating out of the Middle East and infecting their clients' machines. "All the other governments must have already assumed it was the United States or the Israelis," says Hypponen. "We’re already in this arms race, and there’s nothing we can do to stop it now."

As early as the fall of 2010, researchers like Ralph Langner and a team at antivirus firm Symantec had reverse engineered Stuxnet to show that it specifically targeted centrifuges at enrichment facilities like Bushehr and Natanz, leaving little doubt of who created it. And if independent researchers like Langner were able to come to that conclusion, it's likely foreign intelligence services and others had already confirmed U.S. and Israeli involvement.

The real importance of confirming Stuxnet's American origin may be more introspective, says Bruce Schneier, a well-known cybersecurity guru and author: Now we know beyond a doubt that the potential for a physical cyberattack, so often portrayed as a foreign (and specifically Chinese) threat, actually starts at home. "Every country is engaging in the cyber war arms race," says Schneier, "This isn't one of our finer moments. But it's the truth. It’s icky. But it’s good to get the truth out."